How to detect who last accessed a file with DataSecurity Plus

Start your free trial

Why should you track who last accessed a file?

  • To find essential information such as who made changes, when, and where from the last file access event.
  • To identify unauthorized access attempts.
  • To obtain valuable forensic information regarding access attempts in case of a data breach. 
     
  • DataSecurity Plus
  • Windows Native Auditing

Steps to configure DataSecurity Plus to track file accesses 

  1. Download and install DataSecurity Plus.
  2. Open the DataSecurity Plus console.
  3. Navigate to Admin Console > Admin > Administrative Settings > Domain Settings and click + Add Domain in the top-right corner to add a new domain.
  4. Provide the Domain Name along with its username and password. Add required domain controllers and click Save.
  1. To add file servers, navigate to File Audit > Configuration and click the  + Add Server button located in the top-right corner.
  2. Select your domain and add servers that you want to audit.
  3. Choose the files and folders to be audited from Select Objects to Monitor.
  4. Click Install Agent and Finish. The agent is now installed successfully.

Under the File Audit tab, go to Access Audit and click All File/Folder changes report to get details on the who, when, and where of all the changes made to the files. To view all the read accesses made to the file, go to Access Audit under the File Audit tab and generate the Read Events report. You can apply filters here to view the data of a specific file.

Steps to track access for a particular file

  1. Go to the File Audit tab.
  2. Navigate to Configuration > General Settings > Custom Reports.
  1. Click the Server Specific Reports within Custom Reports tab.
  2. Provide a suitable report name and description.
  3. In the Criteria section, add the following filters:
    1. Action: All
    2. File Name: Enter the name of the file that you want to audit. (For this example, we'll name the file Employee data.)
  4. Click Save.
  1. Navigate to Access Audit > Custom Server Reports.
  2. Choose the custom report that you just created.

You have now successfully configured DataSecurity Plus to discover all the accesses to the required file. The entry with the most recent time stamp shows who has last accessed the file.

Steps to set an audit policy 

  1. Launch the Group Policy Management console through either of these methods:
    • Navigate to Server Manager > Tools > Group Policy Management Console.
    • Press Win+R and in the Run dialog box that appears, type gpmc.msc and click OK.
  2. The Group Policy Management Console window will open. A new Group Policy Object (GPO) can be created, or an existing one can be modified.
  3. If you want to add the group policy to an existing GPO, go to step 6.
  1. To create a new GPO, right-click on the domain, site, or OU where you want to apply the policy and click Create a new GPO dialog in this domain and Link it here.
  2. Enter a name for the GPO in the New GPO dialog box and click OK.
  1. Now right-click on that GPO and choose Edit.
  2. In the Group Policy Management Editor, navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy
  1. From the list of audit policies, double-click on Audit Object Access to open its Properties.
  2. Select the Define these Policy Settings checkbox and then choose both Success and Failure if you need to audit all the accesses made on the object.
  3. Click Apply and then OK to close the window.
  1. The GPO will be automatically updated. To update it manually, open the Command Prompt and type gpupdate /force and press Enter. Now the GPO is updated. 

Steps to set the auditing properties for the required file

  1. Right-click the file (Employee_Data) that you want to audit and choose Properties.
  2. Go to the Security tab and click Advanced to open the Advanced Security Settings window.
  3. Go to the Auditing tab and click Add to create a new audit entry. The Auditing Entry window appears.
  1. Click on Select a Principal and the Select User, Computer, Service Account, or Group dialog box appears.
  2. Select Everyone as the object name and click Check Names.
  3. Click OK to close the dialog box.
  1. Choose the type of action you want to audit from the drop-down list. If you want to audit all successful and failed events, choose All.
  2. This folder, subfolders and files is selected by default in the Applies To option.
  3. Under the Permissions section, select Full control and click OK.
  4. The new entry is now added. Click Apply and OK to close the window.
  5. Click OK in the Properties window.

Steps to view who has accessed the file using the Event Viewer

  1. Open the Event Viewer.
  2. Navigate to Windows logs > Security.
  1. Click on the Filter Current Log option on the right pane of the window so the Filter Current Log window appears.
  2. Under the Task category option, enter the event ID for which you want to view logs. When a file is accessed, the event IDs 4656 and 4663 are logged. Enter these event IDs and click OK.
  1. The file access log is now displayed.
  2. To search for the access log for a particular file, click Find... in the right pane.
  3. Provide the file name and click Find Next.
  4. The first highlighted entry in the list has the latest time stamp.
  5. Double-click on the highlighted log to view the access details.

You can now view who last accessed the file using native auditing.

Why is native auditing not preferred?

  • The amount of logs increases rapidly, so they must be archived or cleared frequently.
  • It doesn't offer centralized file auditing capabilities across multiple file server environments.
  • The logs contain excessive noise, making it time-consuming to obtain important data from them.
  • It doesn't offer built-in report generating capabilities to meet compliance requirements.

While native auditing records all events, it doesn't offer much help when it comes to retrieving the required information or proving adherence to compliance standards. 
DataSecurity Plus overcomes these shortcomings and provides a comprehensive file auditing solution that can be configured and installed within minutes.

 

Ensure data security and integrity with the help of ManageEngine DataSecurity Plus.

Email Download Link